File name:

e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed

Full analysis: https://app.any.run/tasks/e98e6ea8-ef61-4738-b3af-27b86b97282f
Verdict: Malicious activity
Analysis date: April 24, 2019, 23:39:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

6CA9A7224ED4E9E90BC93D651FC43F65

SHA1:

E8A12EF6FC92E5772AEFFC470F6960D8163179AD

SHA256:

E6998454B1F41205CA3E663043C0A767D833FFF568B01BC6AC99CAA6C4F449ED

SSDEEP:

49152:qkmbNLrz8WItqRkAVL3MJ3/OYhp9BOTXqz3+qK8HqgqEvZl:vm5LMWfdsvhp6azvbvZl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe (PID: 4036)

    • Application was dropped or rewritten from another process

      • uidcreator.exe (PID: 3692)

    • Changes settings of System certificates

      • e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe (PID: 4036)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe (PID: 4036)

    • Starts application with an unusual extension

      • e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe (PID: 4036)

    • Creates files in the user directory

      • e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe (PID: 4036)

    • Changes tracing settings of the file or console

      • e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe (PID: 4036)

    • Creates files in the program directory

      • e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe (PID: 4036)

    • Adds / modifies Windows certificates

      • e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe (PID: 4036)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:01:30 04:57:48+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 186368
UninitializedDataSize: 2048
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 30-Jan-2018 03:57:48
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 30-Jan-2018 03:57:48
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00006627
0x00006800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.45224
.rdata
0x00008000
0x0000149A
0x00001600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.00708
.data
0x0000A000
0x0002AFF8
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.03532
.ndata
0x00035000
0x00026000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x0005B000
0x0001BBC8
0x0001BC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.72898

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.29645
1066
UNKNOWN
English - United States
RT_MANIFEST
2
4.07244
16936
UNKNOWN
English - United States
RT_ICON
3
7.93337
11195
UNKNOWN
English - United States
RT_ICON
4
4.12089
9640
UNKNOWN
English - United States
RT_ICON
5
4.62272
4264
UNKNOWN
English - United States
RT_ICON
6
5.04001
1128
UNKNOWN
English - United States
RT_ICON
103
2.79908
90
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.73893
514
UNKNOWN
English - United States
RT_DIALOG
106
2.91148
248
UNKNOWN
English - United States
RT_DIALOG
111
2.89887
238
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe ns787.tmp no specs uidcreator.exe no specs e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3156"C:\Users\admin\AppData\Local\Temp\e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe" C:\Users\admin\AppData\Local\Temp\e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe
c:\systemroot\system32\ntdll.dll
3192"C:\Users\admin\AppData\Local\Temp\nso767.tmp\ns787.tmp" C:\Users\admin\AppData\Local\Temp\nso767.tmp\uidcreator.exeC:\Users\admin\AppData\Local\Temp\nso767.tmp\ns787.tmpe6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nso767.tmp\ns787.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3692C:\Users\admin\AppData\Local\Temp\nso767.tmp\uidcreator.exeC:\Users\admin\AppData\Local\Temp\nso767.tmp\uidcreator.exens787.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nso767.tmp\uidcreator.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
4036"C:\Users\admin\AppData\Local\Temp\e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe" C:\Users\admin\AppData\Local\Temp\e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
2
Modules
Images
c:\users\admin\appdata\local\temp\e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\usp10.dll
Total events
392
Read events
360
Write events
32
Delete events
0

Modification events

(PID) Process:(4036) e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeKey:HKEY_CURRENT_USER\Software\Microsoft\chst_installer
Operation:writeName:uid
Value:
578b0ce9-2736-4172-b52f-4ddb7cbc4017-59e923e0bfa571ad44af3c38a05c3a298e1dcb40
(PID) Process:(4036) e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4036) e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4036) e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(4036) e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(4036) e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(4036) e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(4036) e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4036) e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4036) e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
Executable files
5
Suspicious files
0
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
4036e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeC:\Users\admin\AppData\Local\Temp\nso767.tmp\ns787.tmp
MD5:
SHA256:
4036e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeC:\Users\admin\AppData\Local\Temp\r
MD5:
SHA256:
4036e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeC:\Users\admin\AppData\Local\Temp\nso767.tmp\uidcreator.exeexecutable
MD5:
SHA256:
4036e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeC:\Users\admin\AppData\Local\Temp\chst_installer_log.txttext
MD5:
SHA256:
4036e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeC:\Users\admin\AppData\Local\Temp\nso767.tmp\INetC.dllexecutable
MD5:
SHA256:
4036e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeC:\Users\admin\AppData\Local\Temp\nso767.tmp\ttac_nsis.dllexecutable
MD5:
SHA256:
4036e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeC:\Users\admin\AppData\Local\Temp\nso767.tmp\LogEx.dllexecutable
MD5:0F96D9EB959AD4E8FD205E6D58CF01B8
SHA256:57EDE354532937E38C4AE9DA3710EE295705EA9770C402DFB3A5C56A32FD4314
4036e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
4036e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeC:\Users\admin\AppData\Local\Temp\nso767.tmp\nsExec.dllexecutable
MD5:3D366250FCF8B755FCE575C75F8C79E4
SHA256:8BDD996AE4778C6F829E2BCB651C55EFC9EC37EEEA17D259E013B39528DDDBB6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
3
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4036
e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe
POST
200
216.58.205.238:80
http://www.google-analytics.com/collect
US
image
35 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4036
e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe
216.58.205.238:80
www.google-analytics.com
Google Inc.
US
whitelisted
4036
e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe
62.109.13.130:443
chistilka.ru
JSC ISPsystem
RU
malicious

DNS requests

Domain
IP
Reputation
www.google-analytics.com
  • 216.58.205.238
whitelisted
config.chistilka.com
unknown
chistilka.ru
  • 62.109.13.130
malicious

Threats

PID
Process
Class
Message
4036
e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed